Boscloner Build Instructions

Get in, Get Sexy, Get out.

Want your own Boscloner?Buy them here, or build one yourself with the instructions below!

The Boscloner has been designed to allow penetration testers and tech enthusiasts to build their own from the ground up with minimal effort. We provide full build instructions for both beginners and advanced users (soldering g0ds).

Now shipping all orders!!

Notable Items

The Boscloner is completely open-source, and therefore, encourages other users to build upon this research.

We provide a complete Bill of Materials (BOM) / Parts List, which allow you to build your own, or order the boards assembled

The Boscloner's research piggybacks off of tremendous research projects, such as the Proxmark and the Bishop Fox Tastic RFID Thief

While the Boscloner has been proven to be exceptionally successful on real-world penetration testing assessments, it is considered a community research project, and there is always room for improvements, feature additions, and stability fixes.

BOSCLONER RFID CLONER INSTRUCTION MANUAL

BOSCLONER/PROXMARK3 BOARD OVERVIEW

The Boscloner/Proxmark3 (BC/PM3) board is based upon the available Proxmark3 design. The BC/PM3 has the added following features. The BC/PM3 board has added 2x 8 Pin headers which breakout the SPI bus and extra IO on the PM3 board. The extra headers are used to allow a Boscloner “shield” to be plugged into and communicate with the PM3 board. The Boscloner Shield is intended to act as a gateway to the PM3 which allows for custom commands and functions to be added to the base functionality of the PM3. The shield also allows for many types of additional functions to be added, some of which were used on the Boscloner Shield board.

BOMS

BUILDING THE BOARD

To build the board, the user can order the parts from the supplied BOM and self build the board.

PM3/Boscloner Board

PM3 with Boscloner Shield

SOURCE CODE DEVELOPMENT FOR THE BOSCLONER PM3 BOARD

The Boscloner PM3 functionality is based upon the stock Proxmark ProxSpace project which contains all of the stock PM3 functionality. Instructions for setting using the Proxmark3 (all apply to using the Boscloner Proxmark3) can be found on theProxmark3 github wiki here (https://github.com/Proxmark/proxmark3/wiki/Windows). The modified source code for the Boscloner project is available from the Boscloner source package (https://goo.gl/gdNiVp) and can be used as a basis for further adding additional custom functionality to the Boscloner/PM3 environment.

BOSCLONER SHIELD BOARD OVERVIEW

The Boscloner Shield (BCS) was designed as a shield to plug into the BC/PM3 board and add the following features.

Features

SPI gateway to send and receive custom commands from the BC/PM3 board.

Bluetooth communication

OLED 128x64 LCD

Wiegand decoding plug in interface

Optional SD card expansion

2x Push buttons

2x User LEDs

High performance MK22FN512LH12 MCU

120Mhz performance

Floating point operation

512KB flash

128KB SRAM

Optional USB functionality

Additional power

Optional USB communication

BUILDING THE BCS

The BCS can be built in two different ways to allow it to be easily assembled using off-the-shelf modules or to be professional built using standard SMT assembly processes.

STANDARD SMT ASSEMBLY PROCESS

The BCS uses standard SMT components to allow to be be easily assembled by any SMT assembly house. Or optionally, a user can hand-build the board using standard SMT parts from the supplied BOM.

Complete SMT build

OFF-THE-SHELF MODULES

The BCS was designed to allow for a number of off-the-shelf modules to be directly plugged in and soldered to additional headers on the board.

The supplied output power cable for the Lenmar will need to be cut and connected as shown below in order to power the Maxiprox from the Lenmar power supply.

Lenmar Power cable wiring

White = 19V Power - connect to TB1 pin1 as shown of the Maxiprox

Copper = Ground - Solder to Wiegand ground and connect to TB1 Pin3 of the Maxiprox header as shown.

Connect power mini USB power cable to the Boscloner/PM3

Use Double-Sided Velcro attached to the backside of a T5577 card and the LF antenna (to ensure the locate of the card is centered optimally)

Connect Hirose USB connector to Boscloner/PM3 and LF antenna

Connect Wiegand cable from the Maxiprox to the Boscloner/PM3

Connect the Maxiprox power cable to the Lenmar power supply

BOSCLONER APP OVERVIEW

Features:

View cloned and scanned cards history

Enable/disable autoclone functionalityof Boscloner/pm3

Clone any of the cards stored in history

APP INSTALLATION INSTRUCTIONS

The user can directly download the Boscloner APK application package from github (https://github.com/boscloner). There may be some warnings about installing an application from outside of the Google Play Store. Click OK on these warnings and install the Boscloner App.

APP USAGE INSTRUCTIONS

You must first “pair” with the HC-06/HC-05 device from the Bluetooth settings in the Android app. Be sure the Boscloner/PM3 is powered on and the Bluetooth LED is blinking. Go to Bluetooth settings from the Android settings, search, then pair with the found HC-06/HC-05 device.

No manual pairing is required since we are now using the new BLE modules.

2) Once the HC-06 / HC-05 has been paired, you can open the Boscloner app and connect to the HC-06 / HC-05. Select the HC06 / HC-05 from the drop down menu and press the Connect button. The pink “clone” button will light up and the terminal window will show“MCU ACK” (acknowledge).

3) The “Clone” button is enabled by default and will cause the Boscloner/PM3 to autoclone cards when the Maxiprox scans card data.

The terminal window will show the data that is “cloned” or “scanned” (only read and not cloned) in the terminal window. When a card is “cloned” the card ID will be stored in the “History” window of the App.

The user can view andclonecard IDs directly from the “History” window from the Boscloner App.

4) Toclone a stored history value. Click the “...” icon from the main window in the Boscloner App. This will bring up all stored ID values. Scroll to the ID you want to clone and Long Press the ID. A pop-up will ask you if you really want to clone this ID value. Click “OK” and the ID will be sent to the Boscloner/PM3 to be cloned. The result will be displayed on the OLED display of the Boscloner/PM3.

OPERATION FEATURES

The Boscloner PM3 has the features outlined in the Overview section. The below image shows the given functions applicable to using the Boscloner toclone andscancards.

The Boscloner/PM3 connects to the Boscloner app through the Bluetooth adapter.

Update data is displayed on the OLED Display.

Pushbutton enables and disables Auto Clone feature

The right Pushbutton resets the Shield board.

The Wiegand connect is used to connect the Maxiprox Wiegand signals to the Boscloner Shield.

Optional USB power is available through the micro USB connector

An optional microSD footprint is on the PCB for alternative storage functions

INSTRUCTIONS

Power the Boscloner/PM3 using the Mini USB connector on the PM3 Board

Connect the Wiegand cable from the Maxiprox to the Wiegand Connector shown in the image

Connect a LF antenna to the PM3 board using the Hirose USB connector

Once the board is powered it will be “Auto-Clone” mode and once a card ID is received from the Wiegand Cable aclone will be run on the PM3 Board and LF Antenna. The display will update with events that are occurring.The Auto-Clonefeature can be enabled or disabled using the left push button. Connect to the board using the Boscloner App to utilize more features.

Desired Future Features

To add the ability to simply type in the ID values that the user wishes to write to a blank card, rather than relying solely on scanning new badges or using the history file.

Bug fixes

iOS App

App and Boscloner shield diversification to support other Wiegand cards, other than HID.

KNOWN ISSUES

Boscloner/PM3 board

When the PM3 board is connected to a PC and a terminal connection has not been opened, the board will periodically lock up and reset. Tests have done with the original PM3 and the same problem occurs, therefore it is believed that the issue is within the USB driver code of the official Proxspace source code.

The issue does not occur when the Boscloner/PM3 board is connected to a power supply, which is how the board is expected to be used during real-world applications.

Boscloner Real-World Use

The Maxiprox “read” antenna is very strong, and can cause interference with the smaller “write” antenna that is used for cloning/writing to new badges. To remedy this, the write antenna and corresponding badge needs to be isolated from possible interference. This is achieved by using a faraday cage based approach. A simple paper cup (large enough to fit the “write” antenna, that is surround with tinfoil, is enough to prevent disruptive interference (See figure of simple faraday cage below). The Boscloner is designed to be used within a laptop messenger bag, but is flexible so as long as the “read” antenna does not interfere with the “write” antenna

The “write” antenna is weak, and the blank HID badge to be written must be very close and almost directly centered. To remedy this, one may simply attach a one-side sticky piece of velcro to both the HID badge itself, and the “write” antenna. This ensures it is easy enough to place the badge where it needs to be to be properly written to while the user moves around their environment.